Phishing scam

phillych3zst3ak · 2 أبريل 2020، 10:40م

Received this little gem of a scam email (maybe a 419 technically but is more phishing) that one of my work’s clients got.

It appears that when replied to it will send to [email protected]. Definitely has all the false, limited time call to action flags triggered. And the fact that it isn’t a domain owned by the lawfirm that they’re claimed to be representing; especially on the actual website it all ends with @WebbLLC.com as the domain.

Looking at the website through an archive site to capture it, the button doesn’t appear to do anything at first glance but knowing how JavaScript works it does something, but there is some odd coding in a .js file where it tries to reach out to https://top-fwz1.mail.ru/js/code.js for the file itself. I did archive both that site and the js to view them (site: https://archive.vn/ZRFxy, js: https://archive.vn/QCWT0). I have some experience in coding, but it’s been a while since I last did a delve into it, so someone here that has better coding knowledge than I may be able to pull more meaning out of this than I can. As for that Gmail account, have fun with it and show off any responses that you get from it.

From: Webb, Klase & Lemond, LLC [mailto:[email protected]]
Sent: Wednesday, April 1, 2020 8:19 AM
To: [redacted]
Subject: Claim Your Settlement Payment in Worldpay US Class Action

DON’T MISS OUT
FILE YOUR CLAIM NOW!
Dear [redacted]:

We are writing to remind you that you are entitled to a portion of a $15 million class action settlement with Worldpay US, Inc. which is your current or former credit card processor.

To get this payment, you MUST file a claim. The process is easy, and will take you less than one minute.

You can file your claim online by clicking on this link: https://kccsecure.com/WorldPayUSsettlement/Claimant

Follow the simple instructions on the webpage.

For purposes of completing your claim form, your Identification Number is 10026067601.

Please note that if you had more than one account with Worldpay, you may be entitled to file multiple claims. If this applies to you, please refer back to the original notices you received in February, or write us at [email protected].

To get more information, please visit the settlement website at: http://worldpayussettlement.com/

Sincerely,

Settlement Class Counsel

Copyright © 2020 Webb Klase & Lemond LLC, All rights reserved.
You are receiving this email because you opted in via our website.

Our mailing address is:

Webb Klase & Lemond LLC

1900 The Exchange SE Ste 480

Atlanta, GA 30339-2049

phillych3zst3ak · 3 أبريل 2020، 9:44م

I did find some additional details by running a WHOIS search on that scuzzy URL. Turns out it’s registered in Australia.

Domain Name: kccsecure.com
Registry Domain ID: 2021754189_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: www.cscprotectsbrands.com
Updated Date: 2019-11-12T00:48:55Z
Creation Date: 2016-04-14T23:59:24Z
Registrar Registration Expiration Date: 2021-04-15T03:59:24Z
Registrar: CSC CORPORATE DOMAINS, INC.
Sponsoring Registrar IANA ID: 299
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.8887802723
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: DNS Admin
Registrant Organization: Computershare Limited
Registrant Street: 452 Johnston Street
Registrant City: Melbourne
Registrant State/Province: VIC
Registrant Postal Code: 3067
Registrant Country: AU
Registrant Phone: +61.394155000
Registrant Phone Ext:
Registrant Fax: +61.394155000
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:
Admin Name: DNS Admin
Admin Organization: Computershare Limited
Admin Street: 452 Johnston Street
Admin City: Melbourne
Admin State/Province: VIC
Admin Postal Code: 3067
Admin Country: AU
Admin Phone: +61.394155000
Admin Phone Ext:
Admin Fax: +61.394155000
Admin Fax Ext:
Admin Email:
Registry Tech ID:
Tech Name: DNS Admin
Tech Organization: Computershare Limited
Tech Street: 452 Johnston Street
Tech City: Melbourne
Tech State/Province: VIC
Tech Postal Code: 3067
Tech Country: AU
Tech Phone: +61.394155000
Tech Phone Ext:
Tech Fax: +61.394155000
Tech Fax Ext:
Tech Email:
Name Server: ns4.computershare.com
Name Server: ns5.computershare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Kurttterrr · 22 أبريل 2020، 5:59ص

“And the fact that it isn’t a domain owned by the lawfirm that they’re claimed to be representing; especially on the actual website it all ends with @WebbLLC.com as the domain.”

-- Umm...WebbLLC.com is the website of the law firm --Webb, Klase & Lemond LLC.

Kurttterrr · 22 أبريل 2020، 8:38م

An email exchange with the law firm (initiated by going to the firm’s website and using their “contact” address, responded to by one of the partners) confirms the original email is legitimate.

phillych3zst3ak · 22 أبريل 2020، 8:46م

@Kurttterrr#135550 This was a couple of weeks ago and I couldn’t find anything else on it. I tried emailing the people involved and all that but got nowhere in confirming anything on a burner account and everything despite “discussing” it with the person on the other side. There are still things that still stand out to me. I know that the lawfirm itself exists and that the domain is legit, just that they have a Gmail account as the reply-to seems sketchy as all hell. I mean, why not create an email address specifically with this on your own domain? I’ve seen a couple of scams like this in the past where some coat trail rider creates a website akin to how in the movie industry you have “mockbusters” that fool you into purchasing something similar but is not the thing you thought it was. My work who works with several clients who got this email confirmed that the lawsuit was real as well, it’s just something about that email is really sketchy in my opinion. If my work can create a new email in less than an hour on our domain for a specific purpose like this, why can’t they?

gflemondjr · 23 أبريل 2020، 3:05م

@phillych3zst3ak#135633 As one of the attorneys at the law firm who has worked on this lawsuit and the settlement, I can assure you that this is not a scam. The lawsuit is real and the settlement is real. I’m sorry that you feel our use of a Gmail account was sketchy. I am more than happy to speak with you or anyone else who received the email and has questions. I can be reached at (770) 444-9325.

Kurttterrr · 23 أبريل 2020، 8:00م

In addition to emailing them via the address they list for contacting the law firm, I called and left a voice mail message.

A few hours after the quick email reply I received from one of the partners, the same person returned my call. I mentioned that some elements in the original email had made me wary -- including the use of a Gmail reply address.

Turns out they wrote it themselves, without the aid of someone with email marketing experience or knowledge of best practices. He knew that the form they were driving traffic to didn't ask for any information -- it really doesn't; it's prepopulated with the customer info and just asks you to indicate if you want to be included in the class action settlement -- which should put people at ease. But he readily agreed there was no way for the recipient to know that when trying to decide if it's safe to click on that link.

And he said they'd try to do better the next time they have something like this.

I believe it's just a matter of not knowing what you don't know.

phillych3zst3ak · 23 أبريل 2020، 8:12م

@Kurttterrr#135737 in that I agree. They stuck to what they do, which is law. My company has run into things like that where you “outsource” something to someone else and they bungle it. But yeah, I was mistaken. I probably should have dug deeper.